Donkey sentence: Difference between revisions
en>Jason Quinn WP:ORDER fix |
|||
Line 1: | Line 1: | ||
{{multiple issues| | |||
{{Refimprove|date=March 2011}} | |||
{{Orphan|date=February 2009}} | |||
}} | |||
In 1998 [[Gerhard Frey]] firstly proposed using '''trace zero varieties''' for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a [[finite field]]. These groups can be used to establish [[Public-key cryptography|asymmetric cryptography]] using the [[discrete logarithm]] problem as cryptographic primitive. | |||
Trace zero varieties feature a better scalar multiplication performance than elliptic curves. This allows a fast arithmetic in this groups, which can speed up the calculations with a factor 3 compared with elliptic curves and hence speed up the cryptosystem. | |||
Another advantage is that for a groups of cryptographically relevant size, the order of the group can simply be calculated using the characteristic polynomial of the Frobenius endomorphism. This is not the case, for example, in [[elliptic curve cryptography]] when the group of points of an elliptic curve over a prime field is used for cryptographic purpose. | |||
However to represent an element of the trace zero variety more bits are needed compared with elements of elliptic or hyperelliptic curves. Another disadvantage, is the fact, that it is possible to reduce the security of the TZV of <sup>1</sup>/<sub>6</sub><sup>th</sup> of the bit length using cover attack. | |||
== Mathematical background == | |||
A [[hyperelliptic curve]] ''C'' of genus ''g'' over a prime field <math>\mathbb{F}_q</math> where ''q'' = ''p''<sup>''n''</sup> (''p'' prime) of odd characteristic is defined as | |||
: <math> | |||
C:~y^2 + h(x)y = f(x), | |||
</math> | |||
where ''f'' monic, deg(''f'') = 2''g'' + 1 and deg(''h'') ≤ g. The curve has at least one <math>\mathbb{F}_q</math>-rational Weierstraßpoint. | |||
The [[Jacobian variety]] <math>J_C(\mathbb{F}_{q^n})</math> of ''C'' is for all finite extension <math>\mathbb{F}_{q^n}</math> isomorphic to the ideal class group <math>\operatorname{Cl}(C/\mathbb{F}_{q^n})</math>. With the ''Mumford's representation'' it is possible to represent the elements of <math>J_C(\mathbb{F}_{q^n})</math> with a pair of polynomials ''[u, v]'', where ''u'', ''v'' ∈ <math>\mathbb{F}_{q^n}[x]</math>. | |||
The ''Frobenius endomorphism'' σ is used on an element ''[u, v]'' of <math>J_C(\mathbb{F}_{q^n})</math> to raise the power of each coefficient of that element to ''q'': σ(''[u, v]'') = [''u''<sup>q</sup>(x), v<sup>q</sup>(x)]. The characteristic polynomial of this endomorphism has the following form: | |||
: <math> | |||
\chi(T) = T^{2g} + a_1T^{2g-1} + \cdots + a_gT^g + \cdots + a_1q^{g-1}T + q^g, | |||
</math> | |||
where a<sub>i</sub> in {{Unicode|ℤ}} | |||
With the ''Hasse–Weil theorem'' it is possible to receive the group order of any extension field <math>\mathbb{F}_{q^n}</math> by using the complex roots τ<sub>i</sub> of χ(''T''): | |||
: <math> | |||
|J_C(\mathbb{F}_{q^n})| = \prod_{i=1}^{2g} (1 - \tau_i^n) | |||
</math> | |||
Let ''D'' be an element of the <math>J_C(\mathbb{F}_{q^n})</math> of ''C'', then it is possible to define an endomorphism of <math>J_C(\mathbb{F}_{q^n})</math>, the so-called ''trace of D'': | |||
: <math> | |||
\operatorname{Tr}(D) = \sum_{i=0}^{n-1} \sigma^i(D) = D + \sigma(D) + \cdots + \sigma^{n-1}(D) | |||
</math> | |||
Based on this endomorphism one can reduce the Jacobian variety to a subgroup ''G'' with the property, that every element is of trace zero: | |||
: <math> | |||
G = \{ D \in J_C(\mathbb{F}_{q^n})~|~\text{Tr}(D) = \textbf{\textit{0}} \}, ~~~(\textbf{\textit{0}} \text{ neutral element in } J_C(\mathbb{F}_{q^n}) | |||
</math> | |||
''G'' is the kernel of the trace endomorphism and thus ''G'' is a group, the so-called '''trace zero (sub)variety''' (TZV) of <math>J_C(\mathbb{F}_{q^n})</math>. | |||
The intersection of ''G'' and <math>J_C(\mathbb{F}_{q})</math> is produced by the ''n''-torsion elements of <math>J_C(\mathbb{F}_{q})</math>. If the greatest common divisor <math>\gcd(n, |J_C(\mathbb{F}_q)|) = 1</math> the intersection is empty and one can compute the group order of ''G'': | |||
: <math> | |||
|G| = \dfrac{|J_C(\mathbb{F}_{q^n})|}{|J_C(\mathbb{F}_q)|} = \dfrac{\prod_{i=1}^{2g} (1 - \tau_i^n)}{ \prod_{i=1}^{2g} (1 - \tau_i)} | |||
</math> | |||
The actual group used in cryptographic applications is a subgroup ''G<sub>0</sub>'' of ''G'' of a large prime order ''l''. This group may be ''G'' itself.<ref>G. Frey and T. Lange: "Mathematical background of public key cryptography"</ref><ref>T. Lange: "Trace zero subvariety for cryptosystems"</ref> | |||
There exist three different cases of cryptograpghical relevance for TZV:<ref>R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"</ref> | |||
*''g'' = 1, ''n'' = 3 | |||
*''g'' = 1, ''n'' = 5 | |||
*''g'' = 2, ''n'' = 3 | |||
== Arithmetic == | |||
The arithmetic used in the TZV group ''G<sub>0</sub>'' based on the arithmetic for the whole group <math>J_C(\mathbb{F}_{q^n})</math>, But it is possible to use the ''Frobenius endomorphism'' σ to speed up the scalar multiplication. This can be archived if ''G<sub>0</sub>'' is generated by ''D'' of order ''l'' then ''σ(D) = sD'', for some integers ''s''. For the given cases of TZV ''s'' can be computed as follows, where ''a''<sub>i</sub> come from the characteristic polynomial of the Frobenius endomorphism : | |||
* For ''g'' = 1, ''n'' = 3: <math>s = \dfrac {q-1} {1 - a_1} \bmod{\ell} </math> | |||
* For ''g'' = 1, ''n'' = 5: <math>s = \dfrac {q^2-q-a_1^2q+a_1q+1} {q-2a_1q+a_1^3-a_1^2+a_1-1} \bmod{\ell} </math> | |||
* For ''g'' = 2, ''n'' = 3: <math>s = - \dfrac {q^2-a_2+a_1} {a_1q-a_2+1} \bmod{\ell}</math> | |||
Knowing this, it is possible to replace any scalar multiplication ''mD (|m| ≤ l/2)'' with: | |||
: <math> | |||
m_0D + m_1\sigma(D) + \cdots + m_{n-1}\sigma^{n-1}(D), ~~~~\text{where }m_i = O(\ell^{1/(n-1)}) = O(q^g) | |||
</math> | |||
With this trick the multiple scalar product can be reduced to about 1/(''n'' − 1)<sup>th</sub> of doublings necessary for calculating ''mD'', if the implied constants are small enough.<ref>R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"</ref><ref>T. Lange: "Trace zero subvariety for cryptosystems"</ref> | |||
== Security == | |||
The security of cryptographic systems based on trace zero subvarieties according of the results of the papers<ref>T. Lange: "Trace zero subvariety for cryptosystems"</ref><ref>R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"</ref> | |||
comparable to the security of hyper-elliptic curves of low genus ''g' '' over <math>\mathbb{F}_{p'}</math>, where ''p' '' ~ (''n'' − 1)(''g/g' '') for ''|G|'' ~128 bits. | |||
For the cases where ''n'' = 3, ''g'' = 2 and ''n'' = 5, ''g'' = 1 it is possible to reduce the security for at most 6 bits, where ''|G|'' ~ 2<sup>256</sup>, because one can not be sure that ''G'' is contained in a Jacobian of a curve of genus 6. The security of curves of genus 4 for similar fields are far less secure. | |||
== Cover attack on a trace zero crypto-system == | |||
The attack published in<ref>C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"</ref> | |||
shows, that the DLP in trace zero groups of genus 2 over finite fields of characteristic diverse than 2 or 3 and a field extension of degree 3 can be transformed into a DLP in a class group of degree 0 with genus of at most 6 over the base field. In this new class group the DLP can be attacked with the index calculus methods. This leads to a reduction of the bit length <sup>1</sup>/<sub>6</sub><sup>th</sup>. | |||
== Notes == | |||
{{reflist|2}} | |||
== References == | |||
* G. Frey and T. Lange: "Mathematical background of public key cryptography", Technical report, 2005{{Refimprove-inline|date=March 2011}} | |||
* R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications", Technical report, 2007{{Refimprove-inline|date=March 2011}} | |||
* T. Lange: "Trace zero subvariety for cryptosystems", Technical report, 2003, http://eprint.iacr.org/2003/094, 2003 {{Refimprove-inline|date=March 2011}} | |||
* C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"{{Refimprove-inline|date=March 2011}} | |||
* M. Wienecke: "Cryptography on Trace-Zero Varieties", ITS-Seminar paper, http://www.crypto.rub.de/its_seminar_ws0708.html, 2008 | |||
* A. V. Sutherland: "101 useful trace zero varieties", http://www-math.mit.edu/~drew/TraceZeroVarieties.html, 2007 | |||
[[Category:Cryptography]] |
Revision as of 05:24, 27 August 2013
In 1998 Gerhard Frey firstly proposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography using the discrete logarithm problem as cryptographic primitive.
Trace zero varieties feature a better scalar multiplication performance than elliptic curves. This allows a fast arithmetic in this groups, which can speed up the calculations with a factor 3 compared with elliptic curves and hence speed up the cryptosystem.
Another advantage is that for a groups of cryptographically relevant size, the order of the group can simply be calculated using the characteristic polynomial of the Frobenius endomorphism. This is not the case, for example, in elliptic curve cryptography when the group of points of an elliptic curve over a prime field is used for cryptographic purpose.
However to represent an element of the trace zero variety more bits are needed compared with elements of elliptic or hyperelliptic curves. Another disadvantage, is the fact, that it is possible to reduce the security of the TZV of 1/6th of the bit length using cover attack.
Mathematical background
A hyperelliptic curve C of genus g over a prime field where q = pn (p prime) of odd characteristic is defined as
where f monic, deg(f) = 2g + 1 and deg(h) ≤ g. The curve has at least one -rational Weierstraßpoint.
The Jacobian variety of C is for all finite extension isomorphic to the ideal class group . With the Mumford's representation it is possible to represent the elements of with a pair of polynomials [u, v], where u, v ∈ .
The Frobenius endomorphism σ is used on an element [u, v] of to raise the power of each coefficient of that element to q: σ([u, v]) = [uq(x), vq(x)]. The characteristic polynomial of this endomorphism has the following form:
where ai in PROPERTY builders did not have the simplest year, what with the cooling measures imposed in January and the loan curbs in June, but some still managed to do effectively while others made their first foray abroad.
As a public-listed company and a pioneer in the improvement of landed properties in Singapore, we have now been constructing some of Singapore's nicely-recognized, established residential estates for over 50 years. Our many developments in Singapore are an affidavit of our steady want to create not just high quality houses however communities for you and your family members Hotel Properties Limited (HPL) was listed on the Inventory Trade of Singapore in 1982. Beginning with simply the Hilton Lodge in Singapore, HPL has expanded rapidly through the years. As we speak HPL has pursuits in 19 resorts with almost 4000 rooms in 8 countries. An Choice or Settlement/Contract for the Buy of a Home or Flat will be formedin many ways e.g. A gaggle of persons, whether in partnership or otherwise
Certainly one of Asia's premier property firms, Keppel Land is recognised for its sterling portfolio of award-profitable residential developments and funding-grade business properties as well as excessive requirements of company governance and transparency. Keppel Land is without doubt one of the largest listed property corporations by total assets on the Singapore Change. The Group's total assets amounted to about $13.eight billion as at 31 March 2014. Additionally it is a component of a number of stock indices including the FTSE ST Real Property Index, FTSE ST China Prime Index, FTSE All-World Index, FTSE Asia Pacific ex-Japan Index, FTSE EPRA/NAREIT World Real Estate Index and EPRA/NAREIT Index. WOODSVALE PERSONAL CONDOMINIUM CONDOMINIUM WOODSVALE CLOSE, SINGAPORE (DISTRICT thirteen) Industrial
LINCOLN RESIDENCES, THE NON-PUBLIC CONDOMINIUM APARTMENT SURREY STREET, SINGAPORE (DISTRICT eleven) LUCIDA NON-PUBLIC CONDOMINIUM APARTMENT SUFFOLK ROAD, SINGAPORE (DISTRICT 11) LUMOS, THE PRIVATE CONDOMINIUM APARTMENT LEONIE HILL, SINGAPORE (DISTRICT 09) LUXURIE, THE PRIVATE CONDOMINIUM CONDOMINIUM COMPASSVALE BOW, SINGAPORE (DISTRICT 19) M66 NON-PUBLIC CONDOMINIUM RESIDENCE MOONSTONE LANE, SINGAPORE (DISTRICT 12) MARINA BAY SUITES PRIVATE CONDOMINIUM CONDOMINIUM CENTRAL BOULEVARD, SINGAPORE (DISTRICT 01) MEIER SUITES PERSONAL CONDOMINIUM house in singapore MARGATE STREET, SINGAPORE (DISTRICT 15) MKZ, THE NON-PUBLIC CONDOMINIUM CONDO MACKENZIE STREET, SINGAPORE (DISTRICT 09) MONTCLAIR @ WHITLEY CLUSTER STRATA HOUSE WHITLEY HIGHWAY, SINGAPORE (DISTRICT 11) Condominiums by District
The Singapore Property Awards recognise excellence in actual estate development initiatives or individual properties in terms of design, aesthetics, functionality, contribution to the constructed atmosphere and neighborhood at massive. It represents an outstanding achievement which developers, professionals and property house owners aspire to achieve. It bestows upon the winner the correct to use the coveted award emblem recognised extensively throughout the FIABCI network.
ADRIA NON-PUBLIC CONDOMINIUM CONDOMINIUM DERBYSHIRE HIGHWAY, THOMSON ROAD, SINGAPORE (DISTRICT eleven) AMBER RESIDENCES (PREPARED HOUSES) PRIVATE CONDOMINIUM RESIDENCE AMBER STREET, SINGAPORE (DISTRICT 15) ARC AT TAMPINES GOVERNMENT CONDOMINIUM APARTMENT TAMPINES AVENUE 8, SINGAPORE (DISTRICT 18) ARDMORE RESIDENCE NON-PUBLIC CONDOMINIUM CONDO ARDMORE PARK, SINGAPORE (DISTRICT 10) ARISTO @ AMBER , THE PRIVATE CONDOMINIUM CONDOMINIUM AMBER STREET, SINGAPORE (DISTRICT 15) ASPEN LINQ NON-PUBLIC CONDOMINIUM RESIDENCE INSTITUTION HILL, SINGAPORE (DISTRICT 09) BARTLEY RESIDENCES NON-PUBLIC CONDOMINIUM HOUSE BARTLEY HIGHWAY, SINGAPORE (DISTRICT 19) BEACON HEIGHTS PERSONAL CONDOMINIUM CONDO MAR THOMA STREET, SINGAPORE (DISTRCT 12) title searches and authorized requisitions on the property; and
Hongkong Land is a number one property funding, administration and growth group with a serious portfolio in Hong Kong and different property pursuits in Asia. As considered one of Singapore's largest property gamers, Singapore Land (SingLand) is synonymous with premier property developments in both prime and suburban areas. YHS made its first foray into property improvement with Tivoli Gardens, a 59-unit landed estate in District 19. This was adopted by the launch of The Sterling, a freehold condominium in Bukit Timah, and landed projects resembling Tai Keng Villas, Parry Inexperienced, Chuan Villas and Princeton Vale. Its newest growth is JARDIN, an exclusive property nestled alongside Bukit Timah/Dunearn Highway Learn More Can Singapore safely deflate its property market?
GPS Funding Sales operates like an entrepreneur group drawing on wealth of experiences with in depth insight locally and having a global perspective. We are in a position to provide investment methods that tailor-made to the clients profile. Our purchasers starting from Wealth Fund managers, Multinational Companies, Small Medium Enterprise companies, Property Developers and Ultra Networth Individual. En-bloc Sales Department Sustainability, property growth, sustainability initiatives, tripple backside line, measuring sustainability, reporting, metrics and benchmarks When you've loved what you've got read thus far why not sign up for our FREE property alert and online journal PropertyWire Confidential. District 23, ninety nine years Leasehold condominium BUILD TO ALTER
With the Hasse–Weil theorem it is possible to receive the group order of any extension field by using the complex roots τi of χ(T):
Let D be an element of the of C, then it is possible to define an endomorphism of , the so-called trace of D:
Based on this endomorphism one can reduce the Jacobian variety to a subgroup G with the property, that every element is of trace zero:
G is the kernel of the trace endomorphism and thus G is a group, the so-called trace zero (sub)variety (TZV) of .
The intersection of G and is produced by the n-torsion elements of . If the greatest common divisor the intersection is empty and one can compute the group order of G:
The actual group used in cryptographic applications is a subgroup G0 of G of a large prime order l. This group may be G itself.[1][2]
There exist three different cases of cryptograpghical relevance for TZV:[3]
- g = 1, n = 3
- g = 1, n = 5
- g = 2, n = 3
Arithmetic
The arithmetic used in the TZV group G0 based on the arithmetic for the whole group , But it is possible to use the Frobenius endomorphism σ to speed up the scalar multiplication. This can be archived if G0 is generated by D of order l then σ(D) = sD, for some integers s. For the given cases of TZV s can be computed as follows, where ai come from the characteristic polynomial of the Frobenius endomorphism :
Knowing this, it is possible to replace any scalar multiplication mD (|m| ≤ l/2) with:
With this trick the multiple scalar product can be reduced to about 1/(n − 1)th of doublings necessary for calculating mD, if the implied constants are small enough.[4][5]
Security
The security of cryptographic systems based on trace zero subvarieties according of the results of the papers[6][7] comparable to the security of hyper-elliptic curves of low genus g' over , where p' ~ (n − 1)(g/g' ) for |G| ~128 bits.
For the cases where n = 3, g = 2 and n = 5, g = 1 it is possible to reduce the security for at most 6 bits, where |G| ~ 2256, because one can not be sure that G is contained in a Jacobian of a curve of genus 6. The security of curves of genus 4 for similar fields are far less secure.
Cover attack on a trace zero crypto-system
The attack published in[8] shows, that the DLP in trace zero groups of genus 2 over finite fields of characteristic diverse than 2 or 3 and a field extension of degree 3 can be transformed into a DLP in a class group of degree 0 with genus of at most 6 over the base field. In this new class group the DLP can be attacked with the index calculus methods. This leads to a reduction of the bit length 1/6th.
Notes
43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.
References
- G. Frey and T. Lange: "Mathematical background of public key cryptography", Technical report, 2005Template:Refimprove-inline
- R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications", Technical report, 2007Template:Refimprove-inline
- T. Lange: "Trace zero subvariety for cryptosystems", Technical report, 2003, http://eprint.iacr.org/2003/094, 2003 Template:Refimprove-inline
- C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"Template:Refimprove-inline
- M. Wienecke: "Cryptography on Trace-Zero Varieties", ITS-Seminar paper, http://www.crypto.rub.de/its_seminar_ws0708.html, 2008
- A. V. Sutherland: "101 useful trace zero varieties", http://www-math.mit.edu/~drew/TraceZeroVarieties.html, 2007
- ↑ G. Frey and T. Lange: "Mathematical background of public key cryptography"
- ↑ T. Lange: "Trace zero subvariety for cryptosystems"
- ↑ R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"
- ↑ R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"
- ↑ T. Lange: "Trace zero subvariety for cryptosystems"
- ↑ T. Lange: "Trace zero subvariety for cryptosystems"
- ↑ R. M. Avanzi and E. Cesena: "Trace zero varieties over fields of characteristic 2 for cryptographic applications"
- ↑ C. Diem and J. Scholten: "An attack on a trace-zero cryptosystem"